From bce3bc02e1878c40cea4465934159ed914adfc01 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 9 Feb 2023 21:25:56 +0000 Subject: [PATCH 1/2] fixups for httpd error logging and supervisord, pin shibd version --- Dockerfile | 35 +++++++-------------- container_files/httpd/09_i2inc_env.conf | 3 ++ container_files/httpd/09_i2inc_logging.conf | 10 ++++++ container_files/httpd/autoindex.conf | 2 ++ container_files/httpd/userdir.conf | 2 ++ container_files/httpd/welcome.conf | 2 ++ container_files/system/startup.sh | 10 +++++- container_files/system/supervisord.conf | 16 +++++++++- 8 files changed, 55 insertions(+), 25 deletions(-) create mode 100644 container_files/httpd/09_i2inc_env.conf create mode 100644 container_files/httpd/09_i2inc_logging.conf create mode 100644 container_files/httpd/autoindex.conf create mode 100644 container_files/httpd/userdir.conf create mode 100644 container_files/httpd/welcome.conf diff --git a/Dockerfile b/Dockerfile index dd92f08..265f2a0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM centos:centos7 ARG maintainer=tier ARG imagename=shibboleth_sp ARG version=3.4.0 -ARG TIERVERSION=20221103 +ARG TIERVERSION=20230203 MAINTAINER $maintainer LABEL Vendor="Internet2" @@ -15,6 +15,10 @@ LABEL Version=$version LABEL Build docker build --rm --tag $maintainer/$imagename . +#For logging customization +ENV ENV=dev \ + USERTOKEN=nothing + RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \ && echo "NETWORKING=yes" > /etc/sysconfig/network @@ -24,39 +28,23 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags= #install shibboleth, cleanup httpd COPY container_files/shibboleth/shibboleth.repo /etc/yum.repos.d/security:shibboleth.repo -RUN yum -y install shibboleth.x86_64 \ - && yum clean all \ - && rm /etc/httpd/conf.d/autoindex.conf \ - && rm /etc/httpd/conf.d/userdir.conf \ - && rm /etc/httpd/conf.d/welcome.conf +RUN yum -y install shibboleth-$version-\*.x86_64 \ + && yum clean all -# Export this variable so that shibd can find its CURL library -RUN LD_LIBRARY_PATH="/opt/shibboleth/lib64" -RUN export LD_LIBRARY_PATH - -ADD ./container_files/httpd/ssl.conf /etc/httpd/conf.d/ +ADD ./container_files/httpd/*.conf /etc/httpd/conf.d/ ADD ./container_files/shibboleth/* /etc/shibboleth/ - -# fix httpd logging to tier format -RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \ - && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \ - && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \ - && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \ - && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \ - && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \ - && sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf +RUN sed -i '/^[[:space:]]*CustomLog/s/^/#/' /etc/httpd/conf/httpd.conf # add a basic page to shibb's default protected directory RUN mkdir -p /var/www/html/secure/; mkdir -p /opt/tier/ ADD container_files/httpd/index.html /var/www/html/secure/ - # setup crond and supervisord ADD container_files/system/startup.sh /usr/local/bin/ ADD container_files/system/setupcron.sh /usr/local/bin/ ADD container_files/system/setenv.sh /opt/tier/ ADD container_files/system/sendtierbeacon.sh /usr/local/bin/ -ADD container_files/system/supervisord.conf /etc/supervisor/ +ADD container_files/system/supervisord.conf /etc/supervisord.conf RUN mkdir -p /etc/supervisor/conf.d \ && chmod +x /usr/local/bin/setupcron.sh \ && chmod +x /usr/local/bin/sendtierbeacon.sh \ @@ -66,12 +54,13 @@ RUN mkdir -p /etc/supervisor/conf.d \ #set cron to not require a login session RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond +# Link the old location of the file for compatibility +RUN cd /etc/supervisor && ln -s ../supervisord.conf supervisord.conf EXPOSE 80 443 HEALTHCHECK --interval=1m --timeout=30s \ CMD curl -k -f https://127.0.0.1/Shibboleth.sso/Status || exit 1 - CMD ["/usr/local/bin/startup.sh"] diff --git a/container_files/httpd/09_i2inc_env.conf b/container_files/httpd/09_i2inc_env.conf new file mode 100644 index 0000000..7a87fd7 --- /dev/null +++ b/container_files/httpd/09_i2inc_env.conf @@ -0,0 +1,3 @@ +PassEnv ENV +PassEnv USERTOKEN + diff --git a/container_files/httpd/09_i2inc_logging.conf b/container_files/httpd/09_i2inc_logging.conf new file mode 100644 index 0000000..fd69737 --- /dev/null +++ b/container_files/httpd/09_i2inc_logging.conf @@ -0,0 +1,10 @@ +# Redefine LogFormats for I2/InCommon format +# Outputs to logpipe + +LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b" common +LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + +CustomLog "/tmp/logpipe" combined +ErrorLog "/tmp/logpipe" + diff --git a/container_files/httpd/autoindex.conf b/container_files/httpd/autoindex.conf new file mode 100644 index 0000000..f157082 --- /dev/null +++ b/container_files/httpd/autoindex.conf @@ -0,0 +1,2 @@ +# This file managed by container build. Do Not Modify! + diff --git a/container_files/httpd/userdir.conf b/container_files/httpd/userdir.conf new file mode 100644 index 0000000..f157082 --- /dev/null +++ b/container_files/httpd/userdir.conf @@ -0,0 +1,2 @@ +# This file managed by container build. Do Not Modify! + diff --git a/container_files/httpd/welcome.conf b/container_files/httpd/welcome.conf new file mode 100644 index 0000000..f157082 --- /dev/null +++ b/container_files/httpd/welcome.conf @@ -0,0 +1,2 @@ +# This file managed by container build. Do Not Modify! + diff --git a/container_files/system/startup.sh b/container_files/system/startup.sh index 9d3a5a2..efa0ec4 100755 --- a/container_files/system/startup.sh +++ b/container_files/system/startup.sh @@ -1,11 +1,19 @@ #!/bin/sh #for passed-in env vars, remove spaces and replace any ; with : in usertoken env var since we will use ; as a delimiter +echo -e "Usertoken: ${USERTOKEN}" +echo -e "Environment: ${ENV}" export USERTOKEN="${USERTOKEN//;/:}" export USERTOKEN="${USERTOKEN// /}" export ENV="${ENV//;/:}" export ENV="${ENV// /}" +# Apache httpd's ErrorLogFormat only expands environment variables for messages +# generated in the context of a request, so the only known reliable way to +# include ENV and USERTOKEN is to write the config when the container starts. +echo '# This file is generated in startup.sh. Do Not Modify!' > /etc/httpd/conf.d/10_errorlogformat.conf +echo -e "\nErrorLogFormat \"httpd;error_log;${ENV};${USERTOKEN};[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf.d/10_errorlogformat.conf + # generic console logging pipe for anyone mkfifo -m 666 /tmp/logpipe cat <> /tmp/logpipe 1>&2 & @@ -23,5 +31,5 @@ mkfifo -m 666 /tmp/logshibd (cat <> /tmp/logshibd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shibd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & #launch supervisord -exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf +exec /usr/bin/supervisord -c /etc/supervisord.conf diff --git a/container_files/system/supervisord.conf b/container_files/system/supervisord.conf index 41bb0b1..4444945 100644 --- a/container_files/system/supervisord.conf +++ b/container_files/system/supervisord.conf @@ -5,6 +5,20 @@ loglevel=error nodaemon=true user=root +[unix_http_server] +file=/var/run/supervisor/supervisor.sock +; See https://github.com/Supervisor/supervisor/issues/717 +username = nobody +password = password + +[supervisorctl] +serverurl=unix:///var/run/supervisor/supervisor.sock +username = nobody +password = password + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface + [program:cron] command=/usr/sbin/crond -n autostart=true @@ -35,4 +49,4 @@ stderr_logfile_maxbytes=0 environment=LD_LIBRARY_PATH=/opt/shibboleth/lib64 [include] -files=/etc/supervisor/conf.d/* +files=supervisord.d/*.ini /etc/supervisor/conf.d/* From 9de1d3ce0e839478c96defc1368673ffb6db8ee0 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Mon, 12 Jun 2023 07:47:36 -0500 Subject: [PATCH 2/2] update to 3.4.1 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 265f2a0..2bb817f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,8 +3,8 @@ FROM centos:centos7 # Define args and set a default value ARG maintainer=tier ARG imagename=shibboleth_sp -ARG version=3.4.0 -ARG TIERVERSION=20230203 +ARG version=3.4.1 +ARG TIERVERSION=20230612 MAINTAINER $maintainer LABEL Vendor="Internet2"